[Snort-users] Homebrew Snort Reactive/Unified2 output

Korodev korodev at ...11827...
Thu Apr 7 11:09:21 EDT 2011


> It is my opinion that you are better off spooling off of U2 files.  Given
> what you describe, you would not be reacting in real-time anyway and packets
> have already made it through, regardless of reacting using an output plugin
> or spooling off of U2 files.  The obvious benefit of spooling off of U2
> files is that it's snort version independent and does not require you to
> patch / maintain changes to the snort source every time a new version comes
> out.
>
> Just my .02
> JJC


Thanks for your input. I'm thinking spooling off U2 files in the end
will probably be the best solution, but I would like to experiment
with the output plugin. However, the common polling approach when
dealing with the U2 files won't work very well to achieve the desired
goals, so I'll have to implement some sort of async solution using
kqueue or something similar in FreeBSD.

\\korodev




More information about the Snort-users mailing list